Potential fix for code scanning alert no. 2: Open URL redirect

[grokify]

Potential fix for https://github.com/agentplexus/mcpkit/security/code-scanning/2

In general, to fix open redirect issues you must ensure that any URL used in http.Redirect is either chosen from a server-side whitelist or is strictly validated (e.g., ensuring it is a relative URL or that its scheme/host/path match an approved value) before redirecting. User-controlled input should never determine the redirect target without such checks.

For this specific code, the best fix without changing existing functionality is to validate redirectURI before using it in redirectWithError. The file already defines isValidRedirectURI(uri string, allowed []string) bool, which checks that a requested redirect URI matches an allowed value. We should therefore use that helper inside redirectWithError. Since redirectWithError currently has no access to client metadata or an allowlist, the most minimal and conservative change is to enforce that redirectURI is local (no scheme/host), similar to the example in the background description: normalize backslashes, parse the URI, and require that the hostname is empty before redirecting. If validation fails, we should fall back to rendering an error page instead of redirecting.

Concretely:

• In redirectWithError, normalize redirectURI by replacing \ with /, then call url.Parse on the normalized string.
• After parsing, check that u.Hostname() is empty. If not, treat it as invalid and call s.renderLoginError instead of redirecting.
• Keep the existing query-parameter augmentation and redirect logic, but only execute it if validation passed.
• This change is entirely within oauth2/handlers.go, in the redirectWithError function; imports remain the same (net/url and strings are already imported).

Suggested fixes powered by Copilot Autofix. Review carefully before merging.